Juniper Networks - How do I interpret the snoop output?

What do the fields vhl, tos, id, frag, etc indicate in the snoop output?

How do I read the snoop trace?
What is the meaning of the field frag= in the snoop output?

To explain the various SNOOP output fields, it is best to use an example.

Sample SNOOP Output:

Line 1 35455.0: ethernet1(i) len=74:0010db1c5921->0010db1b44b4/0800

Line 2 10.1.10.5->1.1.70.250/1

Line 3 vhl=45, tos=00, id=49627, frag=0000, ttl=63, tlen=128

Line 4 icmp:type=8, code=0

Line 1 35455.0: ethernet2(o) len=74:0010db1b44ba->0010db21be61/0800

Line 2 10.0.10.5->1.1.70.250/1

Line 3 vhl=45, tos=00, id=49627, frag=0000, ttl=62, tlen=128

Line 4 icmp:type=8, code=0

Interpreting Line 1:

35455.0 Timer - this is the number, in seconds, since the last time the firewall was booted.

ethernet1( i )
Interface (direction) - where:
( i ) = incoming
( o ) = outgoing

len=74 ethernet frame length

0010db1c5921 Source MAC address

0010db1b44b4 Destination MAC address

0800 Protocol Type

Interpreting Line 2:

10.1.10.5 Source IP address

1.1.7.250 Destination IP address

1 Protocol (ICMP in this example)

Interpreting Line 3:

vhl version/header length - IP version 4 and 5 32 bit words

tos Type of service - this is not precedence or QOS bits set

id=49627 Datagram ID

frag=0000 IP fragmentation fields in Hex (16-bits)
1-bit   = reserved (not used)
1-bit   = DF bit
1-bit   = more-frags (0 for last fragment, 1 for all others)
13-bit = fragment offset (multiply by 8 for bytes offset)

For example:
frag=2000 (0010 0000 0000 0000)
more-frag set + 0 offset: this is the first fragment of packet.

frag=4000 (0100 0000 0000 0000)
DF set: packet not fragmented.

frag=00b9 (0000 0000 1011 1001)
more-frag not set: this is the last fragment.
offset field (...0 0000 1011 1001) = 185,
- multiply by 8 = 1480 bytes offset.

ttl=63 time to live value

tlen=128 Total datagram length (bytes)

Interpreting Line 4:

icmp Key protocol header fields.

For traffic incoming to an interface (i.e. ethernet1(i):), the Destination MAC would be the MAC address of the Firewall interface. For traffic outgoing from an interface, the Source MAC is the MAC address of the Firewall interface that traffic is egressing from.

How do you use Snoop for Troubleshooting?

Following a packet using Snoop

KB6586 - What options are available when configuring snoop?

KB20562 - How do I view snoop output in Wireshark?

Knowledge Search

Login Assistance

Line 1	35455.0:	ethernet1(i) len=74:0010db1c5921->0010db1b44b4/0800
Line 2		10.1.10.5->1.1.70.250/1
Line 3		vhl=45, tos=00, id=49627, frag=0000, ttl=63, tlen=128
Line 4		icmp:type=8, code=0

Line 1	35455.0:	ethernet2(o) len=74:0010db1b44ba->0010db21be61/0800
Line 2		10.0.10.5->1.1.70.250/1
Line 3		vhl=45, tos=00, id=49627, frag=0000, ttl=62, tlen=128
Line 4		icmp:type=8, code=0

35455.0	Timer - this is the number, in seconds, since the last time the firewall was booted.
ethernet1( i )	Interface (direction) - where: ( i ) = incoming ( o ) = outgoing
len=74	ethernet frame length
0010db1c5921	Source MAC address
0010db1b44b4	Destination MAC address
0800	Protocol Type

10.1.10.5	Source IP address
1.1.7.250	Destination IP address
1	Protocol (ICMP in this example)

vhl	version/header length - IP version 4 and 5 32 bit words
tos	Type of service - this is not precedence or QOS bits set
id=49627	Datagram ID
frag=0000	IP fragmentation fields in Hex (16-bits) 1-bit = reserved (not used) 1-bit = DF bit 1-bit = more-frags (0 for last fragment, 1 for all others) 13-bit = fragment offset (multiply by 8 for bytes offset) For example: frag=2000 (0010 0000 0000 0000) more-frag set + 0 offset: this is the first fragment of packet. frag=4000 (0100 0000 0000 0000) DF set: packet not fragmented. frag=00b9 (0000 0000 1011 1001) more-frag not set: this is the last fragment. offset field (...0 0000 1011 1001) = 185, - multiply by 8 = 1480 bytes offset.
ttl=63	time to live value
tlen=128	Total datagram length (bytes)

Knowledge Search

Please Sign In

Login Assistance